DOJ rebrands encryption pitch

By Derek B. Johnson

Oct 11, 2017

The Department of Justice is looking to reframe a debate on the issue of obtaining access to encrypted communications.

In an Oct. 10 speech at the United States Naval Academy in Annapolis, Md., Deputy Attorney General Rod Rosenstein took aim at major tech companies, arguing that "there is no constitutional right to sell warrant-proof encryption" and that the government should stop negotiating with companies and start exploring legal means to compel compliance with court orders.

For years, the FBI and other law enforcement officials have decried the proliferation of easily available end-to-end encryption in apps like Facebook Messenger, WhatsApp, Signal and others, arguing that the technology creates a blind space for law enforcement.

In 2014, then-FBI Director James Comey said he wanted to begin a "national conversation" about this phenomenon, which he called "going dark."

Now, the Trump administration is looking to reframe that conversation, arguing that technology companies already possess the architecture to provide law enforcement access to encrypted communications when served with a lawful court order. Rosenstein calls this, "responsible encryption."

"Such encryption already exists," Rosenstein said. "Examples include the central management of security keys and operating system updates; the scanning of content, like your e-mails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop." Rosenstein added that "no one calls any of those functions a 'backdoor.' In fact those capabilities are marketed and sought out by many users."

Kurt Opsahl, deputy executive director and general counsel for the Electronic Frontier Foundation, disputed Rosenstein’s assertion in a blog post shortly following the speech.

Others have argued that the burden should not be placed on private companies to hand over decryption tools to law enforcement and intelligence agencies when government networks and tools have been, to the embarrassment of the U.S. government, repeatedly breached and stolen.

Michelle Richardson, deputy director for the Center for Democracy and Technology, said it is impossible to give the government the kind of access to mainstream consumer technology products it is asking for without creating security holes that could also be used by malicious hackers.

"While we sympathize with the government and how they want to solve these cases, there’s no reasonable solution," said Richardson. "The stated concern is that these backdoors will be exploited by bad guys, and the Department of Justice responds with, 'We have a warrant.’ You've just changed the topic. That's not what we’re talking about here."

In a statement to FCW, Sen. Ron Wyden (D-Ore.), a member of the Senate Select Committee on Intelligence, called Rosenstein's speech an attempt to rebrand previous unsuccessful efforts to force tech companies to weaken the security of their products to facilitate government surveillance.

"Despite [Rosenstein’s] attempts at rebranding, a government backdoor by another name will still make it easier for criminals, predators and foreign hackers to break into our phones and computers," Wyden said. "The Department of Justice should be using their bully pulpit to promote the adoption of strong encryption and other defensive cybersecurity technologies, not demonizing companies who are attempting to protect their customers' private data and compete on cybersecurity."

It's not clear what if any policy changes are being teed up by Rosenstein's speech. While he did not call for any specific new law or regulation, he suggested that official action may be in the offing.

"Technology companies almost certainly will not develop responsible encryption if left to their own devices. Competition will fuel a mindset that leads them to produce products that are more and more impregnable," he said.

Matthew Green, a computer science professor at Johns Hopkins and a frequent public commentator on cybersecurity issues, noted that any new U.S. government policy could open the door to foreign governments seeking access to the same data.

"It's hard to reconcile 'responsible encryption' (where governments have access to your data) with the ongoing warnings about Kaspersky. If our plan is to hand over access to all our data to governments, then that will inevitably include foreign governments," Green said on Twitter.

About the Author

Derek B. Johnson is a staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.